International AI Compliance¶

Purpose

Cross-reference matrix of EU AI Act obligations versus Colorado AI Act (SB 205), NYC Local Law 144, and UK AI principles — so Blueprint projects operating across borders know where obligations align, diverge, or stack.

1. Overview: Four Regulatory Approaches¶

Framework	Jurisdiction	Status	Approach
EU AI Act	EU + EEA	In force (phased from 2025)	Risk-based, horizontal, binding
Colorado SB 205	Colorado, USA	In force Feb 2026	High-risk focus, impact-assessment, state-level [so-57]
NYC Local Law 144	New York City, USA	In force Jul 2023	Narrow (employment tools), audit + disclosure [so-58]
UK AI Framework	United Kingdom	Non-binding guidance	Sector-based, principles-led, regulator-owned [so-59]

Which framework applies to you?

Jurisdiction follows the location of deployment or the affected individuals, not just where your company is registered. A Belgian company deploying an AI hiring tool to NYC employees must satisfy both EU AI Act obligations and NYC LL 144.

2. Scope Comparison¶

What Systems Are Covered?¶

Criterion	EU AI Act	Colorado SB 205	NYC LL 144	UK Framework
Scope trigger	AI system placed on EU market	"High-risk AI system" in consequential decisions	Automated employment decision tool used in NYC	Any AI system deployed in the UK
Definition of high-risk	10+ defined application domains (Annex III)	Employment, housing, credit, healthcare, education, insurance	Employment screening and promotion only	No fixed definition — sector regulator decides
Applies to	Providers + deployers + importers	Deployers (developers if they deploy)	Employers using AEDT in NYC	Developers + deployers
Threshold	Per system category	Consequential decision affecting natural person	≥ 1 NYC-based employee considered	Voluntary (mandatory sector guidance expected)

Consequential Decisions Under Colorado SB 205¶

Colorado's law applies to AI used in decisions that have a material effect on:

Employment and employment opportunities
Education enrolment or opportunity
Financial services (credit, insurance)
Healthcare services
Housing applications
Legal services

3. Obligation Cross-Reference Matrix¶

Obligation	EU AI Act (High Risk)	Colorado SB 205	NYC LL 144	UK Framework
Risk / impact assessment	Mandatory (Art. 9)	Mandatory before deployment	Bias audit (annual, independent)	Recommended
Documentation	Technical file + logs (Art. 11, 12)	Impact assessment record	Audit summary (public)	Recommended
Human oversight	Mandatory (Art. 14)	Mandated for consequential decisions	N/A	Principle 4 (accountability)
Transparency to individuals	Disclosure (Art. 13, 50)	Notice required (affected individuals)	Candidate notice required	Principle 2 (transparency)
Bias / fairness testing	Required (Art. 9 + 10)	Required (impact assessment)	Annual independent audit	Recommended
Complaints / redress	EU market surveillance	Individual right to appeal decision	N/A	ICO complaints route
Conformity assessment	Third-party (Annex VII) or self-assessment	Self-assessment + auditable records	Third-party auditor required	Self-assessment
Registration / notification	EU database (Art. 71)	No central registry	Public posting of audit summary	No registry
Penalties	Up to €30M / 6% global turnover	Up to $20,000 per violation	$500–$1,500 per violation	Sector regulator fines

4. Blueprint Artefact Mapping per Jurisdiction¶

EU AI Act → Blueprint (see Risk Management)¶

Full mapping in NIST AI RMF section; key artefacts:

Art. 9 risk management → Risk Pre-Scan + Validation Report
Art. 10 data governance → Data Engineering sub-stream exit criteria
Art. 13 transparency → Hard Boundaries disclosure, system card
Art. 14 human oversight → Mode assignment + Human Oversight Protocol
Art. 17 QMS → prEN 18286 / ISO 42001 mapping (Evidence Standards §9)

Colorado SB 205 → Blueprint¶

SB 205 Requirement	Blueprint Artefact
Impact assessment before deployment	Risk Pre-Scan (Discovery phase) + Validation Report
Reasonable care to protect against known/reasonably foreseeable risks	Hard Boundaries in Objective Card
Disclosure to individuals subject to consequential decisions	Transparency obligation in Delivery phase
Right to appeal and human review	Human Oversight Protocol (Mode ≥ 2)
Annual review if high-risk	Post-market monitoring (Art. 72 alignment) + Guardian ethics review

NYC Local Law 144 → Blueprint¶

LL 144 is narrowly scoped to automated employment decision tools (AEDT) — AI used to screen candidates or evaluate employees for hire, promotion, or termination in New York City.

LL 144 Requirement	Blueprint Artefact
Independent bias audit (annual)	Fairness Check (Validation Report §5) — note: LL 144 requires external auditor
Public summary of audit results	Guardian-signed summary; publish to careers page / company website
Candidate notice (before use)	Transparency obligation in Delivery phase — add LL 144-specific candidate notice
Employee notice (before use)	Same — include in HR system onboarding

External auditor requirement

NYC LL 144 requires that bias audits are conducted by an independent third party — a Guardian employed by the same organisation does not satisfy this requirement. For employment tools deployed in NYC, contract an external AI auditing firm.

UK AI Framework → Blueprint¶

The UK takes a principles-led approach through existing sectoral regulators (ICO, FCA, CMA, MHRA) rather than a dedicated AI law. The five cross-sector principles map cleanly to Blueprint governance:

UK Principle	Blueprint Anchor
Safety and security	Hard Boundaries, incident response, red teaming
Transparency and explainability	Mode transparency, system card, audit logs
Fairness	Fairness Check, bias audit thresholds
Accountability and governance	RACI matrix, Gate Reviews, Guardian role
Contestability and redress	Human Override Protocol, complaint routing

5. Key Differences and Conflict Points¶

Where Frameworks Diverge¶

Issue	EU AI Act	Colorado SB 205	NYC LL 144	UK
Audit frequency	Continuous monitoring (Art. 72)	Before deployment + ongoing	Annual	None mandated
Who audits	Self or notified body (third-party for critical)	Self + auditable records	External third party	Sector regulator guidance
Prohibited practices	Art. 5 explicit list	No explicit prohibitions	N/A	No explicit list
GPAI models	Chapter V obligations	Not addressed	N/A	No equivalent

Stacking Risk: Multiple Jurisdictions¶

When a project is subject to more than one of these frameworks, apply the strictest requirement on each dimension:

Bias audit: LL 144 external-auditor requirement supersedes EU AI Act self-assessment
Audit frequency: EU Art. 72 post-market monitoring is continuous — stricter than LL 144's annual
Transparency: Colorado's individual notice requirement + LL 144's candidate notice = both required for NYC employment tools

6. Compliance Calendar (2026–2028)¶

Date	Event
5 Jul 2023	NYC LL 144 — enforcement began
2 Feb 2025	EU AI Act Art. 5 prohibited practices apply
2 Aug 2025	EU AI Act GPAI obligations apply
1 Feb 2026	Colorado SB 205 — in force
9 Dec 2026	PLD 2024/2853 — transposition deadline
2 Dec 2027	EU AI Act Annex III (High Risk) deadlines (post-Omnibus)
2 Aug 2028	EU AI Act Annex I obligations apply

7. International Compliance Checklist¶

International Compliance Checklist

Jurisdictions where the system is deployed or affects individuals identified
Applicable frameworks mapped (EU AI Act / Colorado / NYC LL 144 / UK)
Strictest requirement on each obligation dimension applied
For NYC employment tools: external bias auditor contracted; public summary prepared
For Colorado: impact assessment record completed before deployment
Compliance calendar updated with relevant dates (§6)
Guardian has reviewed multi-jurisdiction obligations

Was this page helpful? Give feedback